DORA
Digital operational resilience act
ICT risk management
ICT-related incident management
Digital operational resilience testing
Third-party risk management
Critical ICT third-party service providers
Risk management framework
Preamble (Recitals 1 – 30)
Recitals
Title I (Article 1)
General principle
Article 1
Overall risk profile and complexity
Title II (Articles 2 – 27)
Further harmonisation of ICT risk management tools, methods, processes, and policies in accordance with Article 15 of Regulation (EU) 2022/2554
Chapter I (Articles 2 – 18)
ICT security policies, procedures, protocols, and tools
Section 1
Article 2
General elements of ICT security policies, procedures, protocols, and tools
Section 2
Article 3
ICT risk management
Section 3
ICT asset management
Article 4
ICT asset management policy
Article 5
ICT asset management procedure
Section 4
Encryption and cryptography
Article 6
Encryption and cryptographic controls
Article 7
Cryptographic key management
Section 5
ICT operations security
Article 8
Policies and procedures for ICT operations
Article 9
Capacity and performance management
Article 10
Vulnerability and patch management
Article 11
Data and system security
Article 12
Logging
Section 6
Network security
Article 13
Network security management
Article 14
Securing information in transit
Section 7
ICT project and change management
Article 15
ICT project management
Article 16
ICT systems acquisition, development, and maintenance
Article 17
ICT change management
Section 8
Article 18
Physical and environmental security
Chapter II (Articles 19 – 21)
Human resources policy and access control
Article 19
Human resources policy
Article 20
Identity management
Article 21
Access control
Chapter III (Articles 22 – 23)
ICT-related incident detection and response
Article 22
ICT-related incident management policy
Article 23
Anomalous activities detection and criteria for ICT-related incidents detection and response
Chapter IV (Articles 24 – 26)
ICT business continuity management
Article 24
Components of the ICT business continuity policy
Article 25
Testing of the ICT business continuity plans
Article 26
ICT response and recovery plans
Chapter V (Article 27)
Report on the ICT risk management framework review
Article 27
Format and content of the report on the review of the ICT risk management framework
Title III (Articles 28 – 41)
Simplified ICT risk management framework for financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554
Chapter I (Articles 28 – 32)
Simplified ICT risk management framework
Article 28
Governance and organisation
Article 29
Information security policy and measures
Article 30
Classification of information assets and ICT assets
Article 31
ICT risk management
Article 32
Physical and environmental security
Chapter II (Articles 33 – 38)
Further elements of systems, protocols, and tools to minimise the impact of ICT risk
Article 33
Access Control
Article 34
ICT operations security
Article 35
Data, system and network security
Article 36
ICT security testing
Article 37
ICT systems acquisition, development, and maintenance
Article 38
ICT project and change management
Chapter III (Articles 39 – 40)
ICT business continuity management
Article 39
Components of the ICT business continuity plan
Article 40
Testing of business continuity plans
Chapter IV (Article 41)
Report on the review of the simplified ICT risk management framework
Article 41
Format and content of the report on the review of the simplified ICT risk management framework
Title IV (Article 42)
Final provisions
Article 42
Entry into force